This is most likely the double hop problem where the WinRM process on the
Windows side is unable to authenticate itself when talking to a downstream
server [1]
There are a few ways you can solve this
- Use become on the task [2]
- Use CredSSP as your authentication protocol with WinRM
- Setup Kerberos delegation through either
- Unconstrained delegation
- Constrained delegation
- Resource based delegation
Thanks
Jordan
[1]
https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.3
[2]
https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html#become-and-windows
On Tuesday, May 2, 2023 at 11:27:32 AM UTC+10 Gregory Machin wrote:
> Hi,
>
> I'm currently testing using AWX as an API to run PowerShell commands via
> ansible playbooks.
>
> I'm currently testing using the Get-AD user command as this is close to
> what I'll be doing.
>
> I'm using the following Ansible playbook
>
> - name: Test Extra Variables and PowerShell Command
> hosts: all
> collections:
> tasks:
> - name: Show Extra Variables
> debug:
> msg:
> - "NewUserName: {{ NewUserName }}"
> - "UserManager: {{ UserManager }}"
>
> - name: Run PowerShell Command with SYSTEM account
> ansible.windows.win_shell: |
> whoami
> Test-NetConnection server.Domain.local -port 9389
> Get-ADDomainController -ForceDiscover -Discover -Service ADWS
> -NextClosestSite
> Get-ADUser -Identity {{ NewUserName }}
> register: result
>
> - name: Show PowerShell Command Result
> debug:
> var: result.stdout_lines
>
> but get-ADUser errors with :
>
> Get-ADUser : Unable to contact the server. This may be because this server
> does not exist, it is currently down, or it
> does not have the Active Directory Web Services running.
> At line:4 char:1
> + Get-ADUser -Identity bbuilder
> + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> + CategoryInfo : ResourceUnavailable: (bbuilder:ADUser)
> [Get-ADUser], ADServerDownException
> + FullyQualifiedErrorId :
> ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADUser
>
> but I don't have any issues running Get-ADUser under my account or the
> service account used for the playbook on the same server.
>
> the following in the playbook work as expected:
> Test-NetConnection server.Domain.local -port 9389
> Get-ADDomainController -ForceDiscover -Discover -Service ADWS
> -NextClosestSite
>
> It feels like there is something missing PowerShell environment used by
> Ansible, but I cant see what could cause this.
>
> Please advise.
>
> thank you
> G
>
>
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/b1e7c4ba-bf43-4fc3-9cab-153c70f5107en%40googlegroups.com.
